Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-08-30
Because mailboxes can potentially contain sensitive, high business impact (HBI) information and personally identifiable information (PII), it's important that you track who logs on to the mailboxes in your organization and what actions are taken. It's especially important to track access to mailboxes by users other than the mailbox owner. These users are referred to as delegate users.
By using mailbox audit logging, you can log mailbox access by mailbox owners, administrators, and delegates (including administrators who have full mailbox access permissions). Mailboxes are considered to be accessed by an administrator only in the following scenarios:
- Discovery search is used to search a mailbox
- The New-MailboxExportRequest
cmdlet is used to export a mailbox
- Microsoft Exchange Server MAPI Editor is used
to access the mailbox
When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving, or deleting a message) should be logged for a logon type (administrator, delegate user, or owner). The audit log entries also include important information, such as the client IP address, host name, and the process or client that is used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.
Note: |
---|
For mailboxes such as the Discovery Search Mailbox, which may contain more sensitive information, consider enabling mailbox audit logging for mailbox owner actions such as message deletion. |
Contents
Enabling Mailbox Audit Logging
Searching Mailbox Audit Log Entries
Mailbox Audit Logs
Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Audits subfolder of the audited mailbox Recoverable Items folder. This ensures that all audit logs are available from a single location, regardless of which client access method was used to access the mailbox or which server or workstation an administrator used to access the mailbox audit log. If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox.
By default, mailbox audit log entries are retained in the mailbox for 90 days. You can modify this retention period by using the AuditLogAgeLimit parameter together with the Set-Mailbox cmdlet. If a mailbox is on litigation hold, audit logs are retained until the hold is removed.
Enabling Mailbox Audit Logging
Mailbox audit logging is enabled per mailbox. Use the Set-Mailbox cmdlet to enable or disable mailbox audit logging. For details, see Enable or Disable Mailbox Audit Logging for a Mailbox.
When you enable mailbox audit logging for a mailbox, access to the mailbox and certain administrator and delegate actions are logged by default. To log actions taken by the mailbox owner, you must specify which owner actions should be audited. The following table lists the actions logged by mailbox audit logging, including the logon types for which the action is logged.
Mailbox actions logged by mailbox audit logging
Action | Description | Administrator | Delegate | Owner | ||
---|---|---|---|---|---|---|
Copy |
An item is copied to another folder. |
Yes |
Not applicable |
Not applicable |
||
Create |
An item is created in the mailbox. (For example, a message is sent or received.)
|
Yes* |
Yes* |
Yes |
||
FolderBind |
A mailbox folder is accessed.*** |
Yes* |
Yes** |
Yes |
||
HardDelete |
An item is deleted permanently from the Recoverable Items folder. |
Yes* |
Yes* |
Yes |
||
MessageBind |
An item is accessed in the reading pane or opened.*** |
Yes |
Not applicable |
Not applicable |
||
Move |
An item is moved to another folder. |
Yes* |
Yes |
Yes |
||
MoveToDeletedItems |
An item is moved to the Deleted Items folder. |
Yes* |
Yes |
Yes |
||
SendAs |
A message is sent using Send As permissions. |
Yes* |
Yes* |
Not applicable |
||
SendOnBehalf |
A message is sent using Send on Behalf permissions. |
Yes* |
Yes |
Not applicable |
||
SoftDelete |
An item is deleted from the Deleted Items folder. |
Yes* |
Yes* |
Yes |
||
Update |
An item's properties are updated. |
Yes* |
Yes* |
Yes |
* Audited by default if auditing is enabled for a mailbox.
** Entries for folder bind actions that are performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours.
*** FolderBind and MessageBind are not logged for the default calendar.
Mailbox access by authorized automated processes, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries. This may not be of interest to your organization. You can configure such accounts to bypass mailbox audit logging. For details, see Bypass a User Account From Mailbox Audit Logging.
If you no longer require certain types of mailbox actions to be audited, you should modify the mailbox's audit logging configuration to disable those actions. Existing log entries aren't purged until the configured audit log age for the mailbox is reached.
Searching Mailbox Audit Log Entries
You can use the following methods to search mailbox audit log entries:
- Synchronously search a single
mailbox You can use the
Search-MailboxAuditLog cmdlet to synchronously search
mailbox audit log entries for a single mailbox. The cmdlet displays
search results in the Exchange Management Shell window. For more
information, see Search-MailboxAuditLog
and Search the
Mailbox Audit Log for a Mailbox.
- Asynchronously search one or more
mailboxes You can create a mailbox audit log
search to asynchronously search mailbox audit logs for one or more
mailboxes, and then have the search results sent to a specified
e-mail address. The search results are sent as an XML attachment.
To create the search, use the New-MailboxAuditLogSearch
cmdlet. For details, see Create a Mailbox Audit
Log Search.
- Use auditing reports in Exchange Control
Panel You can use the Auditing tab in
Exchange Control Panel (ECP) to run auditing reports or export
entries from the mailbox audit log and the administrator audit log.
For details, see Auditing Tab.
Mailbox Audit Log Entries
The following table describes the fields logged in a mailbox audit logging entry.
Mailbox audit log fields
Field | Populated with |
---|---|
Operation |
One of the following actions:
|
OperationResult |
One of the following results:
|
LogonType |
Logon type of the user who performed the operation. Logon types include:
|
DestFolderId |
Destination folder GUID for move operations. |
DestFolderPathName |
Destination folder path for move operations. |
FolderId |
Folder GUID. |
FolderPathName |
Folder path. |
ClientInfoString |
Details that identify which client or Exchange component performed the operation. |
ClientIPAddress |
Client computer IP address. |
ClientMachineName |
Client computer name. |
ClientProcessName |
Name of the client application process. |
ClientVersion |
Client application version. |
InternalLogonType |
Logon type of the user who performed the operation. Logon types include:
|
MailboxOwnerUPN |
Mailbox owner user principal name (UPN). |
MailboxOwnerSid |
Mailbox owner security identifier (SID). |
DestMailboxOwnerUPN |
Destination mailbox owner UPN, logged for cross-mailbox operations. |
DestMailboxOwnerSid |
Destination mailbox owner SID, logged for cross-mailbox operations. |
DestMailboxOwnerGuid |
Destination mailbox owner GUID. |
CrossMailboxOperation |
Information about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages among mailboxes). |
LogonUserDisplayName |
Display name of user who is logged on. |
DelegateUserDisplayName |
Delegate user display name. |
LogonUserSid |
SID of user who is logged on. |
SourceItems |
ItemID of mailbox items on which the logged action is performed (for example, move or delete). For operations performed on a number of items, this field is returned as a collection of items. |
SourceFolders |
Source folder GUID. |
ItemId |
Item ID. |
ItemSubject |
Item subject. |
MailboxGuid |
Mailbox GUID. |
MailboxResolvedOwnerName |
Mailbox user resolved name in the format DOMAIN\SamAccountName. |
LastAccessed |
Time when the operation was performed. |
Identity |
Audit log entry ID. |